Post-IPO, Facebook will have to make privacy investigations public

When it comes to information privacy concerns, Facebook already has a bullseye on its back. That won't change now that Facebook is going public in its highly anticipated Initial Public Offering (IPO). But disclosure rules affecting publicly traded companies may force Facebook to reveal privacy-related investigations that it otherwise might have kept secret.

Facebook won't face any new regulations or government oversight specifically related to privacy, according to the experts who spoke to Ars. But in the cases of inquiries from the Federal Trade Commission or attorneys general, investigations that might otherwise remain private would become public because Facebook will be forced to disclose events that could have a material impact on earnings.

Still, it is possible for private companies to keep investigations secret in cases where public companies cannot, because the FTC does not announce investigations before they are concluded, and may not announce them at all, said Jules Polonetsky, director of the Future of Privacy Forum and former Chief Privacy Officer for both AOL and DoubleClick. Various quarterly and annual filings with the Securities and Exchange Commission must inform the public about risks potentially affecting earnings, which may include investigations into privacy practices.

"When I was at DoubleClick many years ago, before I got there, they had to announce their FTC inquiry because they felt it was a significant, material event, even though the FTC wasn't making any announcements and in the end closed the inquiry," Polonetsky told Ars. "But they had to disclose it and it kicked off a lot of attention."

Facebook IPO discusses potential privacy risks

"The FTC and DPC (Irish Data Protection Commissioner) have investigated and audited aspects of our products and practices, and we expect to continue to be the subject of regulatory investigations and audits in the future by these and other regulators throughout the world," Facebook's filing states.

"It is possible that a regulatory inquiry might result in changes to our policies or practices. Violation of existing or future regulatory orders or consent decrees could subject us to substantial monetary fines and other penalties that could negatively affect our financial condition and results of operations. In addition, it is possible that future orders issued by, or enforcement actions initiated by, regulatory authorities could cause us to incur substantial costs or require us to change our business practices in a manner materially adverse to our business."

The Facebook filing also lists various risk factors that could affect its profitability, including new data protection laws being considered in Europe that would mandate "more stringent operational requirements for data processors and significant penalties for non-compliance." Facebook also notes there are legislative proposals in the US at the state and federal level that could similarly harm its business.

Facebook further states its business could be harmed by "system failures or breaches of security or privacy… changes in the legislative or regulatory environment, including with respect to privacy, or enforcement by government regulators, including fines, orders, or consent decree… [or] changes in user sentiment about the quality or usefulness of our products or concerns related to privacy and sharing, safety, security, or other factors."

The requirement that Facebook must disclose privacy investigations (at least the ones that are considered material to its business) aren't a result of specific privacy laws. Rather, public companies must disclose any adverse event, Polonetsky noted. (For an oil company, that could be an oil spill.) As Facebook is a large handler of private user data, investigations into how it handles that data is among the biggest risks it faces.

Still, it is not always clear as to whether something must be disclosed. Polonetsky pointed out that there were claims from investors over whether Apple should disclose more information about the health of Steve Jobs before his death in October of 2011. AOL was forced into a settlement after accusations that it artificially inflated its value prior to the 2000 merger with Time Warner with accounting tricks that hid problems in its ad business.

To follow the law, public companies must tell shareholders of risks in many of these cases. But before an IPO, "There is no particular obligation to report on anything. … For example if one had an FTC inquiry, if I'm a private company, the FTC is not announcing it, and if it doesn't leak no one knows about it," Polonetsky says. "It maybe goes away, it maybe doesn't become public. There are lots of investigations that don't become public because the FTC just asks some questions and not everything leads to something significant."

Public or not, Facebook is a lightning rod

Facebook would have continued to receive heavy scrutiny even if it hadn't filed for an IPO, according to Justin Brookman, former Internet Bureau chief at the New York Attorney General's office and current director of the Project on Consumer Privacy at the Center for Democracy & Technology. The FTC settlement that Facebook signed as a private company will allow the FTC to impose substantial financial penalties against Facebook if it violates privacy laws, he noted. "As far as going public I don't think there exists much difference in the level of scrutiny levied at Google, who is public, and Facebook, who isn't," Brookman told Ars. "I don't think it will change much."

"It's hard to imagine Facebook having more of a target on their backs than they already do," Brookman said. "They have access to so much data, they're going to continue to be the focus of a lot of privacy debates."